Last month, the U.S. Department of Homeland Security directed federal agencies to begin employing enhanced security methods and protocols on all government email accounts. This action is an effort to halt the impersonation of U.S. government email domains, referred to as spoofing, by attackers intent on deploying a dizzying array of cyber attacks typically initiated by a phishing campaign. Given that many reports place the start of a cyber attack squarely on phishing campaigns—some reports place the figure at over 90% of cyberattacks are as the result of phishing—it makes sense that the DHS would require greater email security for federal government email accounts and inboxes.
In addition, DHS also mandated that any U.S. federal government website be accessible via a secure connection; that is, changing government websites from HTTP to HTTPS.
DHS has stipulated that all government agencies adopt Domain-based Message Authentication, Reporting & Conformance, or DMARC. DMARC is a proposed Internet Engineering Task Force (IETF) standard for email authentication. It enables email authentication policies to be set and reports on the results. It allows both email recipients and senders to determine if an email has really been sent by the email address the email appears to have been sent from, and how the recipient should handle the email if it verifies that the email address is not legitimate. DMARC leverages the Sender Policy Framework (SPF) proposed standard (RFC 7208) for incoming email validation via host authorized domain check, and Domain Keys Identified Message (DKIM), an email authentication method (RFC 6376) associating a digital signature to an email and checking that signature against the sending domain name (using the signing entity’s public key).
The DHS has given federal agencies 90 days in which to implement the additional email (and web) security measure.
And, while DMARC can help make it easier for U.S. federal agencies to identify cyber attacks like spam and phishing, it does not and cannot alleviate all sorts of phishing attacks. The DMARC organization website even states this on their Frequently Asked Questions (FAQ) wiki:
No. DMARC is only designed to protect against direct domain spoofing. If the owners/operators of example.com use DMARC to protect that domain, it would have no effect on otherdomain.com or example.net (notice the ".net" vs. ".com").
While impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address cousin domain attacks (i.e. sending from a domain that looks like the target being abused - e.g. exampl3.com vs. example.com), or display name abuse (i.e. modifying the "From" field to look as if it comes from the target being abused).
In a recent interview with, and article written by Amanda Ciccatelli in Law.com’s Corporate Counsel publication, Menlo Security’s CTO, Kowsik Guruswamy, said that federal agencies’ “adoption of DMARC, which provides basic protection against email spoofing, and ensuring that all federal agencies only provide service through websites with a secure HTTPS connection” are “basic measures that these agencies must implement to accelerate them into the modern cyber security era.”
Kowsik went on to state that, “All agencies need a security system that protects against cybercriminals [because] we cannot rely on employees to prevent cyberattacks.”
“We know these intrusions can be stopped. We keep threats, attacks, and intrusions from happening every single day,” Kowsik said. “We developed the technology that removes these threats so that users always have a safe experience without ever accidentally clicking on a dangerous link, exposing vulnerabilities within their systems.”
So, while adopting DMARC and mandating that all government websites be accessible via a secure connection (HTTPS) is a great first step in securing federal agencies’ email from basic phishing attacks, more is necessary.
And, that “more” is isolation.
To learn more about and view a demonstration of the Menlo Security Isolation Platform (MSIP), please register for and visit the Menlo Security table at SINET Showcase, at The National Press Club in Washington, DC, November 8 and 9.
Please read Kowsik Guruswamy’s interview in Amanda Ciccatelli’s article, “Email Security at Risk: Stopping Hackers in Their Tracks”, in Law.com’s Corporate Counsel.
For more information on the Menlo Security Isolation Platform and how it addresses phishing attacks, please download the report, “The Evolution of Phishing Techniques”.